Bug 1339129
Summary: | ipa vault-archive overwrites an existing value without warning | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Marc Muehlfeld <mmuehlfe> |
Component: | ipa | Assignee: | IPA Maintainers <ipa-maint> |
Status: | CLOSED ERRATA | QA Contact: | Kaleem <ksiddiqu> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 7.2 | CC: | apetrova, frenaud, ndehadra, pasik, pvoborni, rcritten, sumenon |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | ipa-4.6.4-1.el7 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2018-10-30 10:55:57 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marc Muehlfeld
2016-05-24 08:33:17 UTC
Upstream ticket: https://fedorahosted.org/freeipa/ticket/5922 Current behavior is consistent with other IPA commands. None of ipa mod commands asks for confirmation and therefore it should be the same here. But it may not be clear that vault can contain only one value. So this behavior can be documented better - both in vault help and Linux Identity and Management guide. I agree that with mod commands, it's not necessary to have a warning. Whenever someone is modifying something, they should expect that something to be changed or replaced. However, from my understanding of the RFE, the purpose of "ipa vault-archive" is to save data (not to change it). So as a user, I wouldn't expect anything to be rewritten -- that's why I agree with Marc that a request for confirmation would be nice. Fixed upstream master: https://pagure.io/freeipa/c/e06c7566fdc540734eb62eb2ff1d149a6378e97a Fixed upstream ipa-4-6: https://pagure.io/freeipa/c/9864ea2313978de7a6e6333b611390a7d2320338 Fix is seen in the "ipa vault help" Verified on Red Hat Enterprise Linux Server release 7.6 Beta (Maipo) using ipa-server-4.6.4-3.el7.x86_64 sssd-1.16.2-11.el7.x86_64 389-ds-base-1.3.8.4-9.el7.x86_64 krb5-server-1.15.1-34.el7.x86_64 pki-server-10.5.9-4.el7.noarch selinux-policy-3.13.1-211.el7.noarch [root@master]# ipa-kra-install The ipa-kra-install command was successful [root@master yubico]# ipa vault-add Vault name: my-first-vault New password: Enter New password again to verify: ---------------------------- Added vault "my-first-vault" ---------------------------- Vault name: my-first-vault Type: symmetric Salt: 8eIXcphEJ1mlXil/iI/jgw== Owner users: admin Vault user: admin [root@master yubico]# ipa vault-archive my-first-vault --data AbcD3fg8 Password: ----------------------------------------- Archived data into vault "my-first-vault" ----------------------------------------- [root@master yubico]# ipa vault-retrieve my-first-vault Password: ------------------------------------------ Retrieved data from vault "my-first-vault" ------------------------------------------ Data: AbcD3fg8 [root@master yubico]# ipa vault-archive my-first-vault --data dmVyeSBzZWNyZXQ= Password: ----------------------------------------- Archived data into vault "my-first-vault" ----------------------------------------- [root@master ~]# ipa help vault Vaults Manage vaults. Vault is a secure place to store a secret. One vault can only store one secret. When archiving a secret in a vault, the existing secret (if any) is overwritten. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2018:3187 |